Hong Kong Healthcare Artificial Intelligence SocietyHong Kong Healthcare Artificial Intelligence Society

Privacy & Data Protection in Health AI

Understand jurisdictional privacy laws, design privacy from the start, and separate cybersecurity incidents from broader privacy harms — with PDPO and cross-border transfer awareness for Hong Kong.

All articlesSource document
Privacy and security protections for health data used in AI systems

Sensitive health data

WHO's Global Strategy on Digital Health classifies health data as sensitive personal data requiring strong legal and regulatory protection of privacy, confidentiality, integrity, and availability. AI increases demand for large datasets, while high-dimensional data can make anonymization and de-identification harder.

Developers, deployers, and manufacturers must navigate a thickening web of laws — early understanding of applicable regulations is essential.

Jurisdictional complexity

Roughly 145 countries and regions have data protection laws. Definitions of privacy vs data protection differ; consent rules vary (e.g. explicit consent for health data under GDPR Article 9). Cross-border transfer rules may require adequacy assessments before sharing data internationally.

For Hong Kong healthcare professionals:

  • The Personal Data (Privacy) Ordinance (PDPO) governs collection, use, and security of personal data, with the Privacy Commissioner for Personal Data (PCPD) providing guidance;
  • Cloud-hosted AI tools may process data outside Hong Kong — trigger due diligence on processors, subprocessors, and transfer mechanisms;
  • Separate ethical guidance exists in WHO's FG-AI4H deliverable on ethical considerations — complementing this regulatory overview.

Privacy vs cybersecurity risks

WHO distinguishes cybersecurity risks (loss of confidentiality, integrity, or availability from incidents) from privacy risks (dignity harms, discrimination, economic loss, or other impacts from data processing). Compliance programmes should address both, with documented processing operations, risk assessments, and mitigations aligned to potential harm and enforcement context.

Documentation and transparency

Privacy policy disclosures help regulators benchmark data handling. Documentation should cover data types and sources, purposes and legal bases, consent approaches, storage security, and uses of personal information in algorithmic decisions where required by law.

Clinicians should not enter identifiable patient data into non-approved AI tools, and institutions should maintain clear policies on generative AI and clinical documentation.

Source: WHO — Regulatory considerations on artificial intelligence for health (2023)

Ready to test your knowledge?

Take a short quiz based on this article to check your understanding.

Take the quiz